Method for encrypting a plurality of data in a secure set

ABSTRACT

A server-implemented method encrypting at least two pieces of indexed data as lists of elements, each element belonging to a finite set of indexed symbols on an alphabet. The data is encrypted to form a protected set, including: the server randomly generates, for each datum, a corresponding encoding function; if at least one element that constitutes a datum is the symbol of the alphabet, the server determines the image of the symbol of the alphabet via the encoding function corresponding to the datum to obtain a codeword coordinate and adds the codeword coordinate to an indexed set corresponding to the element of the alphabet; then the server completes the indexed set with error-inducing points; the server randomly reindexes the elements of the indexed set corresponding to the symbol of the alphabet; and the server adds the indexed set to the protected set. The method can identify an individual.

FIELD OF THE INVENTION

The invention concerns the field of the encrypting of data and thecomparison of encrypted data with a candidate data item for assessingsimilarities between one of the encrypted data items and the candidatedata item.

The invention is applicable in particular to the field of biometry, forencrypting individual biometric data, and identifying a candidateindividual by comparing one of his biometric data with the encrypteddata.

PRIOR ART

A method for encrypting a data item known by the term “fuzzy vault”scheme is known, this method having been described in the followingarticles:

-   Ari Juels and Maghu Sudan, A fuzzy vault scheme.In Proceedings of    IEEE International Symposium on Information Theory, ISIT, Lecture    Notes in Computer Science, page 408, 2002, and-   An Juels and Maghu Sudan, A fuzzy vault scheme. Des. Codes    Cryptography, 38(2):237-257, 2006

The “fuzzy vault” scheme consists of integrating, in a mathematical setcalled “fuzzy vault”, and referred to hereinafter as a “protected set”,information related to a data item A, as well as supplementary parasiticinformation that is generated randomly and is independent of the dataitem A. This parasitic information makes it possible to mask theinformation related to A.

More precisely, this encrypting applies to a data item A in the form ofa list of indexed elements a_(i) of a finite field F.

During this method, a polynomial p having certain mathematicalproperties not described here is generated randomly and, for eachelement a_(i) of A, the image by p of the element a_(i) is computed.

The pairs consisting of the elements a_(i) of the data item A and theirimages by p are then added to the protected set.

And finally, error-inducing points are added to the protected set, thesepoints being randomly generated pairs (x_(i), x_(i)′), such that x_(i)is not an element of A, and x_(i)′ is not the image by p of x_(i).Mathematically, x_(i)εF\A,x_(i)′ε{p(x_(i))}.

A set of pairs (x_(i)*^(′),x_(i)*^(′)) is therefore obtained in whicheither the abscissas x_(i)*^(′) belong to A and x_(i)*^(′)=p(x_(i)*), orthey belong to F\A, and in this case x_(i)*^(′) are chosen in F\p(A).

Adding a large number of error-inducing points makes it possible to maskthe points related to the data item A and to the polynomial p.

Next, the protected set is used to compare a second data item B with thedata item A, without obtaining information on said data item A.

To do this, decrypting algorithms have been developed, making itpossible to compare a data item B, in the form of a list of indexedelements b_(i), with the protected set, in order to determine whetherthe data item B corresponds to the data item A with a degree ofsimilarity exceeding a predetermined threshold.

In particular, B corresponds to A if a large number of elements b_(i)correspond to elements a_(i) of A, the latter elements being situated bydefinition in the protected set.

The argument of these decrypting algorithms is the elements b_(i) of thedata item B that correspond to abscissas x_(i) of the protected set, andtheir result is a polynomial p′. If B corresponds sufficiently to A, thepolynomial p′ is the polynomial p that was used for encrypting the dataitem A.

It is then possible to apply this polynomial p to all the elements b_(i)of B corresponding to abscissas x_(i) of the protected set in order todetermine which elements b_(i) are also elements a_(i) of A, since byconstruction only the pairs comprising an element and an image of thiselement by p are elements of A.

An example of a suitable decrypting algorithm is of the type fordecrypting a Reed-Solomon code.

The fuzzy vault scheme therefore makes it possible to compare two dataitems without obtaining information on one of the data.

However, it is limited to a comparison of two data items and cannot beapplied to a comparison of a data item with a set of several data in adata bank. This type of comparison is however used more and morefrequently, in particular in the context of the biometric identificationof individuals.

There therefore exists a need for extending the principle of the fuzzyvault scheme to a plurality of data in a data bank, so as to enable acomparison of the data in the bank with a given third party, withoutobtaining information on these.

Presentation of the Invention

One aim of the invention is to overcome the problem mentioned above.

This aim is achieved in the context of the present invention by means ofa method for encrypting a set of at least two indexed data implementedby a server, the data being in the form of lists of elements, eachelement of which belongs to a finite set of indexed symbols called analphabet,

the method being characterised in that the data is encrypted to form aprotected set, the step of encrypting and creating the protected setcomprising the following steps:

-   -   the server randomly generates, for each data item in the base, a        corresponding encoding function, and    -   for each symbol of the alphabet,        -   for each data item,            -   if at least one element of the list that constitutes the                data item is the symbol of the alphabet, the server                determines the image of said symbol of the alphabet via                the encoding function corresponding to the data item in                order to obtain a codeword coordinate that is a function                of the data item and of the symbol of the alphabet,            -   the server adds the codeword coordinate thereby obtained                to an indexed set corresponding to the element of the                alphabet, the set having a predetermined cardinal,        -   then the server randomly re-indexes the elements of the            indexed set corresponding to the symbol of the alphabet, and        -   the server adds the indexed set corresponding to the symbol            of the alphabet to the protected set.            Advantageously, but optionally, the invention may further            comprise at least one of the following features:    -   for each symbol in the alphabet, prior to the re-indexing step,        the server completes the indexed set corresponding to the        alphabet element with error-inducing points;    -   for the symbols of the alphabet that do not correspond to any        element of the data in the base,        -   the server randomly selects some of said elements,        -   for each element selected, it creates a predetermined            cardinal set with an index corresponding to that of the            element, and adds to this element as many error-inducing            points as the cardinal of the element;    -   the non-selected symbols of the alphabet are associated with an        empty set;    -   the error-inducing points are points generated randomly among a        destination set of the encoding functions, deprived of the        images of the symbols of the alphabet by the encoding functions        corresponding to the data;    -   the encoding functions corresponding to the data are associated        with an evaluation code for which there exists at least one list        recovery algorithm;    -   the evaluation code is a folded Reed-Solomon code, a Reed-Muller        code or an algebraic code;    -   the server computes the image of each encoding function        corresponding to a data item by means of a public hash function,        and adds said image to the protected set;    -   the data are biometric data;    -   the biometric data comprise information relating to the        fingerprints of individuals, said data being in the form of        lists of triplets (x, y, θ) of coordinates of minutiae of        fingerprints of individuals;    -   each coordinate of a triplet (x, y, θ) is coded on one byte, and        the alphabet contains all the possible configurations of        triplets each coordinate of which is coded on one byte.

The invention further concerns a method for identifying an individual,in a system comprising a control server, suitable for acquiring abiometric data item of the individual to be identified, and a servermanaging a base containing individual biometric data of listedindividuals,

in which, in order to identify the individual, his data item is comparedwith the N data in the base in order to identify the data item or itemsin the base having a degree of similarity with the data item of theindividual exceeding a predetermined threshold,

the method being characterised in that, before the step of comparing thedata item of the individual with the data in the base, these areencrypted by the management server using the method according to one ofthe preceding claims.

Advantageously, but optionally, the identification method may alsocomprise at least one of the following features:

-   -   the biometric data item of the individual to be identified is in        the form of a list of elements, each element of which is a        symbol of the alphabet, and in which the management server        communicates the protected set to the control server and, from        the biometric data item of the individual to be identified, the        control server implements a step of decrypting the protected        set, the decrypting step comprising the steps consisting of:        -   selecting a subset of the protected set comprising all the            indexed sets corresponding to the symbols of the alphabet            present in the list of elements that constitutes the data            item of the individual,        -   using a list recovery algorithm the argument of which is            said selected subset and the result of which is a set of            encoding functions such that, if the data item of the            individual corresponds to a data item in the base, the set            of encoding functions contains the encoding function            corresponding to said data item,    -   from the encoding function or functions obtained, the control        server determines the data item or items in the base        corresponding to the data item of the individual with a degree        of similarity greater than a predetermined threshold,    -   the control server determines the image of the encoding        functions of the set resulting from the list recovery algorithm        by means of the public hash function, and compares this image        with the images of the encoding functions corresponding to the        data in the base contained in the protected set.

PRESENTATION OF THE FIGURES

Other features, aims and advantages of the invention will emerge fromthe following description, which is purely illustrative andnon-limitative, and which must be read with regard to the accompanyingdrawings, in which:

FIG. 1 a shows the steps of the encrypting method proposed by theinvention.

FIG. 1 b is the algorithm implementing the first steps of the method.

FIG. 2 shows the steps of the decrypting method.

FIG. 3 shows schematically the implementation of the identificationmethod according to the invention.

FIGS. 4 a, 4 b and 4 c show the conventions used for coding afingerprint of an individual.

DETAILED DESCRIPTION OF AT LEAST ONE EXAMPLE EMBODIMENT

The main steps of a method for encrypting a plurality of data A_(j) in adatabase DB are described with reference to FIG. 1.

Notations and Vocabulary

The database DB contains a number n of secret data A^(j) (j=1 . . . n),each data item A^(j) being in the form of a list of elements, forexample of t indexed elements α_(i) ^(j), i=1 . . . t, so that eachA^(j) is written A^(j)=(α₁ ^(j), . . . , α_(t) ^(j)). Alternatively, thedata A^(j) may be of different sizes from one another.

The elements a_(i) ^(j) of each A^(j) are preferably binary elements orvectors, each coordinate of which is a binary element.

The present invention fits within code theory, which uses certainmathematical objects, the definitions of which are given again here.

is an alphabet, that is to say a set containing N symbols x₁ . . .x_(N), such that each element of the data item A^(j) is a symbol of thealphabet

. This alphabet is defined according to the way in which the data A^(j)are coded.

Thus for example, if the elements of the data A^(j) are values coded ona certain number of bits, the alphabet

comprises all the binary codes coded on this number of bits. For dataA^(j) coded on one byte, the alphabet

comprises the two hundred and fifty six (256) possible bytes.

An evaluation function is also defined as follows:

-   -   let D be a finite set,    -   let P₁ . . . P_(N) be N distinct points of coordinates taken in        D,    -   let P be a subset of the set of functions of the Cartesian        product D* . . . *D with values in a set Y, Y being able for        example to be the set D,    -   an evaluation function ev is defined by

ev: P→Y^(N)

ƒ

(ƒ(P₁), . . . , ƒ(P_(N))).

Furthermore, if L_(k) is a subset of P of dimension k, C=ev(L_(k)) is anevaluation code defined by L_(k). It is said that C is an evaluationcode on Y of length N and dimension k.

Finally, codeword means an element of the code C, that is to say theevaluation of a function f by the evaluation function ev(f).

Encrypting of the Data in the Base

The encrypting 100 of the data A^(j) in the base is done by theimplementation, by a computer server, of the steps identified in FIG. 1.

Generation of the Encoding Functions

During step 110, a server randomly generates, for each data item A inthe base, a corresponding encoding function F_(j).

Encoding function means a function that associates a coordinate of acodeword with an element.

In the present case, encoding functions F_(j) associated with anevaluation code for which there exists a list recovery algorithm arechosen.

For example, Reed-Muller codes are known, algebraic codes such as Goppacodes, or codes known by the term “folded Reed-Solomon codes”.

In the context of the present invention, a folded Reed-Solomon code isadvantageously used, which is defined as follows:

-   -   let F be a finite body of cardinal q (F=GF(q)), and γ a        generator of F,    -   the version folded m-times of the Reed-Solomon code C[u, k],        denoted        , is a code of block size

$N = {\frac{u}{m}{on}}$

F^(m) where u=q−1 is divisible by m,

-   -   the coding of a message pεF[X] of degree to the maximum k−1 is        given by the application of the evaluation function ev(f)=f(P₁,        . . . , P_(N)) where P_(i)=γ^(m(i−1)) and

${f(x)} = {\left( \begin{bmatrix}{p(x)} \\\vdots \\{p\left( {x \times \gamma^{m - 1}} \right)}\end{bmatrix} \right).}$

In the case of an evaluation code of the folded Reed-Solomon code type,the encoding functions F_(j) corresponding to the data A^(j) are thendefined as follows:

-   -   let f_(j) be a function chosen randomly in F[X], for example it        may be a polynomial of degree k−1,    -   F_(j)(x_(i))=f_(j)(P_(i)), where P_(i)=γm^((i−1)). F_(j)(x_(i))        is the i^(th) coordinate of the codeword ev(f_(j)).

Encoding of the Data in a Protected Set

Returning to FIG. 1, the server generates, during an encoding step 120,from the encoding functions, a protected set LOCK (A^(j)) in which thedata in the base are encrypted.

To do this, the server generates, during a step 121, as many sets S_(i)as there are symbols in the alphabet

, each set S_(i) corresponding to an element x_(i) in the alphabet

.

The server also defines two security parameters, l and r.

The first security parameter, l, is an integer associated with anindexed set S_(i). This integer may vary from one set S_(i) to another,or be the same for all the sets S_(i).

The second security parameter, r, is also an integer. Its role isdescribed in more detail hereinafter.

When the algorithm is initialised, the sets S_(i) contain no element.

Then, for each symbol x_(i) in the alphabet

,

-   -   for each data item A^(j) in the base,        -   if x_(i)εA^(j) then the server calculates the image of the            symbol x_(i) by the encoding function F_(j) corresponding to            the data item A^(j), F_(j)(x_(i)), during a step 122. As            indicated previously, this image is a coordinate of a            codeword, a function of the data item A^(j) and of the            symbol x_(i) of the alphabet            . The server adds this value to the set S_(i) corresponding            to the symbol x_(i).    -   Then the server adds to the indexed set S_(i) parasitic or        error-inducing points, during a step 123, until the cardinal of        the indexed set S_(i) reaches the integer l determined        previously.

The error-inducing points are chosen randomly in the set Y deprived ofimages of the symbols of the alphabet

by the encoding functions F_(j) corresponding to the data A^(j). Thusthese error-inducing points are independent of the encoding functions.

These error-inducing points prevent identification of the authenticcodewords. They therefore prevent the determination of the encodingfunctions F_(j) of the data A^(j) from the symbols of the alphabet

and the codewords.

The integer l is a security parameter of the encrypting method. Itsvalue depends on the decrypting algorithm that it is wished to usesubsequently and the computing time that can be tolerated. Where it ischosen to use a folded Reed-Solomon code, the integer l is typicallyless than m, m being one of the parameters of the folded Reed-Solomoncode, and also less than the number n of data A^(j) in the base.

Moreover, the server holds a counter of the number of non-empty indexedsets S_(i), this counter being incremented by 1 if a symbol x_(i) of thealphabet

is present in at least one of the data A^(j). The counter value iscalled cpt.

At the end of these first steps 122, 123, empty indexed sets S_(i) mayremain, if the symbol of the corresponding alphabet x_(i) is not presentin any data A^(j) in the base.

The server then randomly chooses, during a step 124, indices i_(e),i_(e)={i_(cpt+1), . . . , i_(r)}, such that the indexed sets S_(i) _(e)are empty, and adds parasitic or error-inducing points to these sets,until the cardinal of each indexed set S_(i) _(e) reaches the value l.

Here again, the error-inducing points are chosen in Y deprived of imagesof the symbols of the alphabet by the encoding functions F_(j)corresponding to the data

A_(j) = (Y ∖ {ℱ_(d)(x_(i_(e)))}_(d = 1,  …  , n)).

At the end of step 123, N-r empty sets S_(i) remain.

The security parameter r therefore represents the number of non-emptyindexed sets S_(i) at the end of the encrypting step 120.

r is a positive integer, less than N, the number of symbols in thealphabet

, chosen according to the number of data A^(j) in the base. Preferably,r has been chosen so that r has the same order of magnitude as N, thenumber of symbols in the alphabet. It is even possible to have r=N, sothat no empty set remains during the encrypting step 120.

By way of non-limitative example, N may have an order of magnitude of10⁴, and then r is preferably between a few thousands and the value ofN, around a few tens of thousands.

This step 124 of adding error-inducing points in sets S_(i) _(e) notcomprising any codeword confers additional security on the encryptingalgorithm since these sets S_(i) _(e) prevent a determination of whichsymbols of the alphabet are present in the data A^(j) in the base.

The mathematical algorithm of steps 121 to 124 is appended in FIG. 1 b.

Finally, during a step 125, the server scrambles the elements of eachindexed set S_(i). This scrambling is implemented by random re-indexingof the elements within each set S_(i).

Indeed, the codewords having been added first to the sets S_(i), theirposition in these sets would make it possible to identify them. Thescrambling thus enables the codewords to have a random position in thesets S_(i).

Finally, during a step 126, pairs consisting of a symbol of the alphabetand a corresponding indexed set are added to the protected set LOCK, foreach symbol in the alphabet.

For probative purposes elaborated on below, the server may also, duringa step 127, calculate the image by means of a public hash function Hashof each encoding function F_(j) that was used to generate the codewords,and integrate these images Hash(F_(j)) in the set LOCK, which is thenwritten LOCK(A^(j),Hash(F_(j))).

Decrypting

Once the data A^(j) have been encrypted in the set LOCK, this set isused to determine, from a data item B, the data item A^(j) having themost similarities with the data item B, without providing anyinformation on the data A^(j). It is this step 200 that is calleddecrypting, and the steps of which are illustrated in FIG. 2.

The data item B is a list of t elements {b₁, . . . , b_(t)}, eachelement b_(i) of which is a symbol x_(i) in the alphabet

.

A server having to proceed with the decrypting selects, during a step210, among the indexed sets S_(i) stored in the set LOCK, those S_(i)_(e) corresponding to elements x_(i) _(e) included in B, that is to saythe sets S_(i) _(e) the indices i_(e) of which are such that x_(i) _(e)=b_(e), for e=1, . . . , t.

The server next uses a list recovery algorithm having as its input allthe pairs {(x_(i) ₁ ,S_(i) ₁ ), . . . , (x_(i) _(t) S_(i) _(t) )},during a step 220.

This list recovery algorithm depends on the code chosen to encrypt thedata A^(j). In the case where the code is a folded Reed-Solomon code, asuitable list recovery algorithm is the Guruswami list decryptingalgorithm described in the publication by Venkatesan Guruswami,Linear-algebraic list decoding of folded

Reed Solomon Codes, in IEEE Conference on Computational Complexity,pages 77-85. IEEE Computer Society, 2011.

The list recovery algorithm supplies as a result a list of codewordsthat have a degree of similarity with the indexed sets S_(i) thatexceeds a predetermined threshold. In these codewords, one or moreencoding functions are deduced that correspond to the encoding functionor functions F_(j) of the data A^(j) that have a degree of similaritywith the data item B above a predetermined threshold.

In particular, if the data item B corresponds to one of the data A^(j),the encoding function F_(j) corresponding to this data item A^(j) isobtained from the results of the list recovery algorithm.

The functions resulting from this algorithm are such that, for aproportion of the x_(i) _(e) such that X_(i) _(e) =b_(e), saidproportion being determined from the similarity threshold between thedata A^(j) and the data item B, this gives F_(j)(x_(i) _(e) )□S_(i) _(e), which is the case only for A^(j)s similar to B.

If it is wished to obtain the proof that a function that is the resultof this algorithm is indeed an evaluation function of a correspondingdata item A^(j), the server can calculate, during a verification step230, the image of this result function by the public hash function Hashmentioned above, and compare this result with the hashings of each ofthe data A^(j) that are stored in the protected assembly LOCK.

Finally, from the encoding function F_(j), the server can find the dataitem A^(j). To do this, the image of all the symbols x_(i) are computedby means of the encoding function F_(j), and it is determined whetherF_(i)(x_(i)) belongs to the indexed set S_(i). If such is the case, thenX_(i) belongs to the data item A_(j). It is then possible to reconstructthe data item A_(j).

Application to Biometric Identification

A preferential application of this encrypting algorithm and thecorresponding decrypting algorithm is that of biometric identification.

Biometric identification is illustrated schematically in FIG. 1 b.

The identification of an individual consists of comparing a data itemparticular to this individual with similar data of referencedindividuals in order to determine whether the individual to beidentified corresponds to one of the referenced individuals with adegree of similarity exceeding a predetermined threshold.

The referenced individuals may for example be individuals whose accessto a place is authorised, or alternatively individuals sought by thepolice.

For example, in FIG. 3, the data item B is an acquisition coded inbinary, by a control server SC, of a biometric character b of theindividual I whom it is wished to identify.

This biometric character may for example be an iris or a fingerprint.

With reference to FIG. 4, the way in which the fingerprints are codedhas been illustrated. A fingerprint 10 illustrated in FIG. 4 a ischaracterised by irregularities referred to as minutiae 11 on the lines12 that make them up. The minutiae 11 may for example be ends of linesor bifurcations.

The number, form and position of the minutiae on a fingerprint 10 makethis fingerprint unique and specific to the individual carrying it.Consequently it is the minutiae that are used to code a fingerprint.

The coding of a fingerprint 10 is a set of triplets (x, y, θ) in which Xand y indicate the abscissa and the ordinate of a minutia on anormalised reference frame identified in FIGS. 4 a, 4 b and 4 c, and θis the angle formed by the direction of the line 12 with respect to theX-axis. More precisely, in FIG. 4 b, the minutia depicted is a line end,and θ is the angle between the direction of the line before beinginterrupted and the X-axis. In FIG. 4 c, the minutia represents abifurcation, and θ is the angle between the direction of the line beforebifurcation and the X-axis.

x, y, and θ are each coded on one byte. The corresponding alphabet

for the encrypting method consists of all the possible triplets eachcoordinate of which is coordinated on one byte. There exist 256 (2⁸)possible bytes and therefore the alphabet

contains N=256³ elements.

Returning to FIG. 3, biometric data A^(j) of referenced individuals arestored in a database DB managed by a management server SG.

The management server SG uses the encrypting method described above onthe data A^(j) in order to create a protected set LOCK (A^(l), . . . ,A^(N)).

When an individual presents himself in order to be identified, thecontrol server SC acquires a biometric data item B, either by means of afingerprint sensor or by reading a chip stored in an identity document.

The control server SC then uses the decrypting algorithm described abovein order to determine which data item A^(j), if such exists, correspondsto the data item B of the individual with a degree of similarity above apredetermined threshold.

An encrypting algorithm has therefore been developed enabling aplurality of data A^(j) to be encoded in a protected set. This algorithmconstitutes an extension of the fuzzy vault scheme, the latter notmaking provision for coding several data, even more so when these datahave elements in common.

This algorithm also makes it possible to minimise the storage space forthe encoding of the data since the error-inducing points are added forall the data.

Furthermore, it makes it possible to effect only one decoding for allthe data, which may represent a saving in computing time, depending onthe list recovery algorithm to be used.

1. Method for encrypting a set of at least two indexed data items(A^(j)), implemented by a server, the data (A^(j)) being in the form oflists of elements (α_(i) ^(j)), each element of which belongs to afinite set (

) of indexed symbols (x_(i)) called an alphabet, the method beingcharacterised in that the data (A^(j)) are encrypted to form a protectedset (LOCK (A¹, . . . , A^(N))), the step of encrypting and creating theprotected set comprising the following steps: the server randomlygenerates, for each data item (A^(j)) in the base, a correspondingencoding function (F_(j)), and for each symbol (x_(j)) of the alphabet (

), for each data item (A^(j)), if at least one element (a_(i) ^(j)) ofthe list that constitutes the data item is the symbol (x_(i)) of thealphabet, the server determines the image of said symbol (x_(i)) of thealphabet via the encoding function (F_(j)) corresponding to the dataitem (A^(j)) in order to obtain a codeword coordinate F_(j)(x_(i)) thatis a function of the data item and of the symbol of the alphabet, theserver adds the codeword coordinate F_(j)(x_(i)) thereby obtained to anindexed set (S_(i)) corresponding to the element of the alphabet(x_(i)), the set having a predetermined cardinal (l), then the serverrandomly re-indexes the elements of the indexed set (S_(i))corresponding to the symbol (x_(i)) of the alphabet (

), and the server adds the indexed set (S_(i)) corresponding to thesymbol (x_(i)) of the alphabet to the protected set (LOCK (A¹, . . . ,A^(N))), and in that, for each symbol (x_(i)) in the alphabet (

), prior to the re-indexing step, the server completes the indexed set(S_(i)) corresponding to the alphabet element (x_(i)) witherror-inducing points.
 2. Method according to claim 1, in which, for thesymbols (x_(i)) of the alphabet that do not correspond to any element ofthe data in the base, the server randomly selects some of said elements(x_(i)), for each element (x_(ie)) selected, it creates a predeterminedcardinal set (S_(ie)) with an index corresponding to that of the element(x_(ie)), and adds to this element (x_(ie)) as many error-inducingpoints as the cardinal of the element.
 3. Method according to claim 2,in which the non-selected symbols (x_(i)) of the alphabet (

) are associated with an empty set.
 4. Method according to claim 2, inwhich the error-inducing points are points generated randomly among adestination set (Y) of the encoding functions, deprived of the imagesF_(j)(x_(i)) of the symbols (x_(i)) of the alphabet (

) by the encoding functions (F_(j)) corresponding to the data (A^(j)).5. Method according to claim 1, in which the encoding functionscorresponding to the data (F_(j)) are associated with an evaluation codefor which there exists at least one list recovery algorithm.
 6. Methodaccording to claim 5, in which the evaluation code is a foldedReed-Solomon code, a Reed-Muller code or an algebraic code.
 7. Methodaccording to claim 1, in which the server computes the image(Hash(F_(j))) of each encoding function (F_(j)) corresponding to a dataitem (A^(j)) by means of a public hash function (Hash), and adds saidimage to the protected set.
 8. Encrypting method according to claim 1,in which the data (A^(j)) are biometric data.
 9. Encrypting methodaccording to claim 8, in which the biometric data (A^(j)) compriseinformation relating to the fingerprints of individuals, said data beingin the form of lists of triplets (x, y, θ) of coordinates of minutiae offingerprints of individuals.
 10. Encrypting method according to claim 1,in which each coordinate of a triplet (x, y, θ) is coded on one byte,and the alphabet contains all the possible configurations of tripletseach coordinate of which is coded on one byte.
 11. Method foridentifying an individual (I), in a system comprising a control server(SC), suitable for acquiring a biometric data item (B) of the individual(I) to be identified, and a server (SG) managing a base (DB) containingindividual biometric data of listed individuals, in which, in order toidentify the individual (I), his data item (B) is compared with the Ndata (A^(j)) in the base (DB) in order to identify the data item (A^(j))or items in the base having a degree of similarity with the data item ofthe individual exceeding a predetermined threshold, the method beingcharacterised in that, before the step of comparing the data item of theindividual with the data in the base, these are encrypted by themanagement server (SG) using the method according to claim
 1. 12. Methodaccording to claim 11, in which the biometric data item (B) of theindividual to be identified is in the form of a list of elements(b_(i)), each element (b_(i)) of which is a symbol (x_(i)) of thealphabet (

), and in which the management server communicates the protected set(LOCK (A¹, . . . , A^(N))) to the control server (SC) and, from thebiometric data item (B) of the individual to be identified, the controlserver (SC) implements a step of decrypting the protected set (LOCK (A¹,. . . , A^(N))), the decrypting step comprising the steps consisting of:selecting a subset of the protected set (LOCK (A¹, . . . , A^(N)))comprising all the indexed sets (S_(i)) corresponding to the symbols(x_(i)) of the alphabet (

) present in the list of elements (b_(i)) that constitutes the data item(B) of the individual (I), using a list recovery algorithm the argumentof which is said selected subset and the result of which is a set ofencoding functions such that, if the data item (B) of the individualcorresponds to a data item (A^(j)) in the base, the set of encodingfunctions contains the encoding function (F_(j)) corresponding to saiddata item (A^(j)).
 13. Method according to claim 12, in which, from theencoding function or functions obtained, the control server determinesthe data item or items (A^(j)) in the base (DB) corresponding to thedata item (B) of the individual with a degree of similarity greater thana predetermined threshold.
 14. Method according to claim 12, in whichthe control server (SC) determines the image of the encoding functionsof the set resulting from the list recovery algorithm by means of thepublic hash function (Hash), and compares this image with the images ofthe encoding functions corresponding to the data in the base containedin the protected set (LOCK (A¹, . . . , A^(N))).